In their first attempt, UVA team beats veteran cybersecurity email@example.com
An upstart team of University of Virginia computer science students beat nine nationally ranked competitors this weekend to earn the championship at the National Collegiate Cyber Defense Competition.
The UVA Cyber Defense Team fended off two days of cyberattacks during the competition presented by Raytheon Company in Orlando, Florida, inspiring the students to call it their own Cinderella story.
To even reach the national competition, the UVA team upset defending national champion University of Maryland-Baltimore County in last month’s Mid-Atlantic Collegiate Cyber Defense Competition, held at Johns Hopkins University.
“It’s still sinking in,” said Mariah Kenny, a third-year student and team captain. “I think we’ve all been in shock.”
The students’ challenge was to pose as a professional cybersecurity team defending a fictional biotech company’s network, including its sensitive patient and financial data.
The competition was designed to simulate real-life conditions in which companies employ both “blue teams” – security professionals responsible for thwarting system abuses or outright attacks – and “red teams” of trained hackers who seek to exploit vulnerabilities and gain unauthorized access.
UVA and the other nine universities were blue teams, and industry professionals posed as the red team. Points were awarded to teams that did the best job keeping their networks running, repelling hackers and explaining security breaches and how to fix them. Teams also were evaluated on their ability to handle a continuous stream of technical tasks thrown at them by competition officials to imitate a business environment.
Before the competition, the UVA team had practiced and honed its game plan: divvy up the work; play to each other’s strengths; try not to let any balls drop; and communicate, communicate, communicate.
The first moment of stress came as the competition began, and the firewall that the team thought would be pre-configured for them wasn’t even out of its shipping box yet. They had to unpack and configure it on their own.
“My first 10-minute plan just went out the window, because what I had expected to do was no longer possible,” said Paul Sanders, a fourth-year student who is a double major in computer science and math and was in charge of the firewall for the team. “Mariah just pointed to the box and said, ‘Have fun, Paul.’”
“It was hard, but we kept a cool head,” Kenny said, and that level-headed approach helped them figure out how to add value by configuring and putting to use expensive technologies provided by competition sponsors.
“Our communication skills and teamwork were definitely the greatest factors for us,” first-year student Roman Bohuk said. “There was a person from the competition who stayed in the room with us and helped give us instructions, and he said that our team was the most effective at staying on-task and letting each other know what was going on.”
When the professional hackers had gained access to their network, the team could have panicked, first-year student Jake Smith said. “But instead we just focused on solving the problem, getting our services running and kicking them out of our network,” he said.
“We were very relaxed when we were competing. We didn’t even know how we were doing in comparison with the other teams, because we couldn’t see their scores,” he said. “We just focused on working hard, as opposed to beating the other teams. We’ve spent a lot of time together getting to know each other, and we have a good relationship. And we just have a lot of trust in each other.”
First-year student Calvin Krist said Kenny was a great team leader. “She was always on top of ensuring key tasks got done, and she would encourage us to share what we were doing and our needs. She allowed each of us to do our best work. We have some incredibly talented students, and they were always there for me when the going got tough.”
“We also had a good understanding of how to play the game,” said second-year student Quintin DeGroot.
Besides Kenny, Sanders, Bohuk, Smith, Krist and DeGroot, the team includes graduate student Abbas Naderi and first-year Daniel Chen. Team member Jibang Wu, a third-year, could not attend nationals. Bohuk and Smith are also co-presidents of UVA’s Computer and Network Security Club.
Naderi recounted the cliff-hanger moment when the competition winners were announced.
“Keep in mind that no one had seen a scoreboard comparing the teams, and only the top-three teams would be announced. We were hoping that we would rank somewhere in the first three, because being the fourth would pretty much be the same as being last.
“First, Dakota State University was announced as the third place, making everyone’s heart skip a beat. University of Central Florida was the heftiest opponent, with the competition being in their hometown, and that team having won 2014, 2015 and 2016 national championships. So when they were announced the second-place winners, they were pretty sad.
“By this time, we were saying to ourselves, ‘We are either first or fourth,’” and our heart rates had doubled. Once the words ‘The University of’ came out of the announcer’s mouth for the first-place winner, we knew we had won.”
Besides Kenny, Bohuk and Smith, the team includes graduate student Abbas Naderi Afooshteh, fourth-year student Paul Sanders, second-year Quintin DeGroot and first-years Daniel Chen and Calvin Krist. Team member Jibang Wu, a third-year, could not attend nationals. All are computer science students; Sanders has a double major in math. Bohuk and Smith are also co-presidents of UVA’s Computer and Network Security Club.
Ahmed Ibrahim, assistant professor of computer science and the team’s adviser, said the students’ achievement is outstanding.
“They made history by being the first team to win the national competition as first-time competitors,” he said. “They nailed all of the success factors: They formed a diverse team, planned, did their homework, trained, and communicated well with each other and with industry professionals all the time. They worked hard and smart, and they deserve this success.”
Bohuk said Ibrahim deserves a lot of gratitude for handling the logistics for the team’s travel to the national competition and the qualifying rounds before it. “He was very helpful and encouraging, and he made it very easy for us to participate in the competition and prepare for it.”
The National Collegiate Cyber Defense Competition, presented by defense contractor Raytheon and sponsored by a host of companies and government agencies that are heavily involved in cybersecurity, is an opportunity for students to practice solving problems they will encounter as professionals.
According to a news release from Raytheon announcing UVA’s win, the program “brings academia, government and industry together in a unique way. Everyone recognizes we need to find and train more cyber professionals, and these competitions are critical in helping meet that need," said Dwayne Williams, the national competition’s director and associate director for technology, research and cyber competitions at the Center for Infrastructure Assurance and Security at the University of Texas at San Antonio.
Ibrahim praised Williams and Greg White, the Center for Infrastructure Assurance and Security’s director, for their huge commitment to the event.
“The competition has been very well organized,” Ibrahim said. “Thanks to them, Raytheon and all the sponsors for offering this opportunity to university students.”
“Our students were focused and diligent in preparing for this challenge, because they are passionate about becoming leaders in cybersecurity,” said Kevin Skadron, chair of the Computer Science Department in UVA’s School of Engineering & Applied Science. “It is a testament to their talent, and the support they received from Professor Ibrahim, that they won the national title the first year they participated. We are very proud of them.”
Bohuk said the competitions gave him a better understanding of how all parts of a system integrate and communicate, and he can apply that to his cybersecurity work at UVA and later in his career.
“The competition teaches us to be very efficient and helps us learn how to follow a plan, how not to get off-task and how to get things done under stress,” he said.
“It’s been an amazing, hands-on experience,” Smith said. “They put us up against some of the best hackers in the world, and we had to learn how to defend against that. We also had the chance to network with a variety of other teams, sponsors and industry professionals. This competition has reaffirmed what I want to do – pursue a career in cybersecurity.”
Chen agreed with his teammates that the opportunity to be in a setting where professionals were actively testing the students was important. “The pressure that comes with conducting incidence response can only really be captured through a dynamically changing environment like this, where unexpected situations occur.”
Kenny said the experience has been invaluable. “This is not something you could ever learn in a classroom. These vendors hand you expensive firewalls and technologies that are in use by actual enterprise businesses, and you get to actually configure and implement them in defending your network against active attackers. It mimics real-life experience. This is what people do in their real jobs.
“It’s hard to go back to class again.”